cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
669
Views
7
Helpful
5
Replies

Custum Logs Nexus 9K

AlejandroIslas
Level 1
Level 1

Hi everyone,

I would greatly appreciate your help.

In a cisco switche Nexus 9K I would like to see in the log who made changes is some activities like add o delete users, for example “new user: name=ciscouser by admin” or “useradd by admin” it is possible to do?

For now I can see in the logs something like this (it doesn't appear who created or deleted the user):

2024 Jan 2 19:03:44 mxtulm01swocptor02 %AUTHPRIV-6-SYSTEM_MSG: new user: name=ciscouser, UID=2012, GID=504, home=/var/home/ciscouser, shell=/isan/bin/vsh_perm - useradd[32697]

2024 Jan 2 19:37:29 mxtulm01swocptor02 %AUTHPRIV-6-SYSTEM_MSG: delete user 'ciscouser' - userdel[8984]

My configuration is:

logging logfile messages 7 size 512000

logging server 10.10.10.1 7 use-vrf management_inband facility syslog

logging source-interface Vlan21

logging monitor 7

logging level user 6

logging level auth 6

logging level authpri 6

logging console 5

1 Accepted Solution

Accepted Solutions

marce1000
VIP
VIP

 

 - FYI : https://community.cisco.com/t5/network-management/log-configuration-changes-to-syslog-on-nexus-7000/m-p/2509023#M102073

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

5 Replies 5

marce1000
VIP
VIP

 

 - FYI : https://community.cisco.com/t5/network-management/log-configuration-changes-to-syslog-on-nexus-7000/m-p/2509023#M102073

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

@marce1000Thanks for the recommendation, I checked the link that you shared me I was able to find a solution, the only thing that I did was change the accounting logs level:

  1. logging level aaa 6
  2. logging server 10.10.10.1 7 use-vrf management_inband facility syslog

now I can see who excute the instruction for any activity:

2024 Jan 3 09:50:30 tor02 %AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.32.14.201@pts/2:admin:added user UserSIEM

2024 Jan 3 11:36:32 tor02 %AAA-6-AAA_ACCOUNTING_MESSAGE: update:10.32.1.177@pts/2:admin:deleted user UserSIEM

Regards,

 

 

Thanks alot for update us

Have a nice day 

And happy new year 

MHM

logging origin-id hostname <<- try add this and check

MHM

@MHM Cisco World , I tried with these option but only I could see hostname in all events, I applied the solutions that @marce1000  recomeded me and can solve it. Thanks for you help

Review Cisco Networking for a $25 gift card